'Gozi Trojan trio' blamed for multimillion-dollar bank raid spree

NASA systems among 1,000,000 computers suspects accused of infecting

Common Topics

US prosecutors have accused three people of using a bank-account raiding Trojan to infect at least one million computers and steal millions of dollars.

Russian national Nikita Kuzmin, 25, Latvian resident Deniss Calovskis, 27, and Mihai Ionut Paunescu, a 28-year-old Romanian, were behind the scam, according to charges filed against them. The allegations were revealed in an indictment unsealed on Wednesday, 23 January. The US wants to extradite both Calovskis and Paunescu from their respective countries.

Systems at NASA were among the 40,000 computers in the US infected by the trio's Gozi Trojan, described in a US Department of Justice statement as "one of the most financially destructive computer viruses in history"*.

Kuzmin, who masterminded the Trojan, was arrested in the US in November 2010 and pled guilty to various computer hacking and fraud charges in May 2011. Calovskis, who allegedly helped program Gozi, was arrested in Latvia in November 2012. Paunescu (AKA Virus) allegedly supplied the "bulletproof [web] hosting" service that helped Kuzmin and other crooks distribute the Trojan as well as ZeuS, SpyEye and other malware - some linked to spam distribution and DDoS shenanigans. Paunescu was arrested in Romania in December 2012.

FBI Assistant Director-in-Charge George Venizelos said:

This long-term investigation uncovered an alleged international cybercrime ring whose far-reaching schemes infected at least one million computers worldwide and 40,000 in the US, and resulted in the theft or loss of tens of millions of dollars. Banking Trojans are to cyber criminals what safe-cracking or acetylene torches are to traditional bank burglars – but far more effective and less detectable. The investigation put an end to the Gozi virus.

The Gozi Trojan first surfaced in 2007. Over the years it has infected Microsoft Windows computers in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere, causing tens of millions of dollars in losses to individuals, businesses and governments whose computers were compromised. Gozi was distributed in various guises, most commonly disguised as a benign PDF document.

Kuzmin rented out access to the latest versions of the Gozi Trojan on a weekly basis through a business called "76 Service", which was advertised on various underground cybercrime forums.

From 2009 onwards he sold the source code to various conspirators, some of whom paid others to refine, update, and improve the software nasty. Calovskis was allegedly among the most able of these black-hat programmers. US prosecutors blame him for developing code, known as "web injects", that altered how the web pages of particular banks appeared on infected computers.

One such "redesign" changed a bank's welcome page on a compromised machine to trick victims into disclosing additional personal information – such as their mother’s maiden name, social security number, driver’s licence information and account PIN – supposedly needed in order to continue to access the banking website. These details were then relayed to crooks to exploit as they wished.

Various versions of Gozi were tailor-made to attack banks targeted by each underworld buyer. Paunescu allegedly operated the servers that collected the swiped personal data and controlled infected machines. He allegedly acted as an ISP for crooks, charging them a premium for providing a degree of anonymity and fending off takedown requests from security firms and upstream service providers.

As the US Department of Justice points out, "the charges contained in the indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty".

The case was handled by NASA's Office of Inspector General; Latvian State Police; the Romanian Intelligence Service; the Romanian Directorate for Combating Organized Crime; the Romanian Directorate for Investigating Organized Crime and Terrorism; and the FBI and various prosecuting agencies led by Preet Bharara, the US Attorney for the Southern District of New York, and Lanny A. Breuer, the Assistant Attorney General of the Department of Justice’s Criminal Division. ®

Bootnote

* While US prosecutors describe Gozi as a virus it doesn't replicate itself and for this and other reasons is better described as a Trojan.